Google has released August security updates for Android, which include patches for six vulnerabilities. Two of these issues are related to Qualcomm components and have already been used in targeted attacks.
The vulnerabilities that were under attack have been assigned the identifiers CVE-2025-21479 and CVE-2025-27038, and the Android security team learned about them back in January 2025.
The first issue (CVE-2025-21479) is related to incorrect authorization in the Graphics framework, which may lead to memory corruption due to the execution of unauthorized commands in the GPU micro-module under a specific sequence of commands.
The second issue (CVE-2025-27038) is a use-after-free bug that causes memory corruption when using Adreno GPU drivers for rendering in Chrome.
It is noted that Google included patches in the update, announced by Qualcomm back in June of this year. At that time, the manufacturer warned that, according to specialists at Google Threat Analysis Group, vulnerabilities CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038 could be exploited “in limited targeted attacks.”
“In May, OEM partners were provided with fixes for issues affecting the Adreno GPU driver, along with a strong recommendation to deploy the update on affected devices as soon as possible,” Qualcomm reported at the time.
With the release of the August updates, Google also fixed a critical vulnerability in the System component (CVE-2025-48530). This issue could be exploited for remote unauthenticated code execution, but only if combined with other bugs. Moreover, no user interaction was required.
Google developers have traditionally released two levels of updates: 2025-08-01 and 2025-08-05. The latter includes all patches from the former, as well as fixes for closed-source components and kernel subsystems that may not be applicable to all Android devices.